I am inquiring about the latest version 1809 of Windows 10 Pro for x64 systems. The device in question may have Secure Boot enabled or disabled and is able to utilize custom Secure Boot keys.
The driver that I have written, which is intended for personal use on my primary laptop, needs to be loaded at startup. Due to security concerns and the potential added cost, I am hesitant to use Test Mode or obtain a paid certificate.
Is there a method to load a driver that is signed with my own key, allowing for manual trust in Windows and Secure Boot, without enabling Test Mode for all drivers?
I have come across an article that suggests this is possible, however, it mentions that this method only persists until the next Windows restart.
This happy circumstance of your having your own driver executing despite its having your own signature will persist through sleeps and hibernations until you next restart Windows.
Has anyone had success in persistently loading a self-signed driver using a similar approach?
3 Answers
Introduction
Windows 10 is a secure operating system that requires all drivers to be digitally signed before they can be loaded. This is to ensure that the drivers come from a trusted source and have not been tampered with. However, there are situations where you may need to load a self-signed driver, for example, when developing a driver for personal use. In such a case, you have two options, either to enable Test Mode or obtain a paid certificate. Both options have their drawbacks, and you may be hesitant to use them. In this blog post, we will explore whether it is feasible to run a self-signed driver without using Test Mode in Windows 10.
Secure Boot and Custom Secure Boot Keys
Before we delve into whether it is feasible to run a self-signed driver without using Test Mode, it is essential to understand Secure Boot and Custom Secure Boot keys. Secure Boot is a security feature in Windows 10 that ensures that the operating system loads only drivers that are digitally signed by a trusted authority. This prevents malware from loading during the boot process and compromising the system.
Custom Secure Boot keys, on the other hand, allow you to load drivers that are digitally signed by you or your organization. This is useful when you need to develop a driver for personal use or for your organization’s internal use. Custom Secure Boot keys can be created using tools provided by the manufacturer of the system firmware or using third-party tools.
Running a Self-Signed Driver without Test Mode
Now, let’s get to the heart of the matter. Is it feasible to run a self-signed driver without using Test Mode in Windows 10? The short answer is yes, it is possible. However, it is not a straightforward process, and it involves some risks.
The method involves adding your self-signed certificate to the Trusted Root Certification Authorities store in Windows and then signing your driver with that certificate. This will allow your driver to be loaded without requiring Test Mode. However, this method only persists until the next Windows restart, which means that you will need to repeat the process every time you reboot your system.
The Risks Involved
Before you decide to use this method, it is essential to understand the risks involved. When you add your self-signed certificate to the Trusted Root Certification Authorities store in Windows, you are essentially telling Windows to trust any driver that is signed with that certificate. This means that if someone gains access to your certificate, they can sign their driver with that certificate, and Windows will load it without any warnings.
Additionally, this method may not work if Secure Boot is enabled on your system. Secure Boot requires that all drivers be signed with a certificate that is trusted by the system firmware. If your self-signed certificate is not trusted by the system firmware, your driver will not load.
Alternative Solutions
If you are hesitant to use Test Mode or obtain a paid certificate, there are alternative solutions that you can consider. One such solution is to use a virtual machine to develop and test your driver. Virtual machines allow you to create a separate environment where you can test your driver without compromising your primary system’s security.
Another solution is to use the Windows Hardware Lab Kit (HLK) to test your driver. The HLK includes a set of tests that your driver must pass before it can be loaded on a Windows 10 system. Passing the tests ensures that your driver is compatible with Windows 10 and meets the security requirements.
Conclusion
In conclusion, it is feasible to run a self-signed driver without using Test Mode in Windows 10. However, this method involves some risks, and it may not work if Secure Boot is enabled on your system. If you are hesitant to use Test Mode or obtain a paid certificate, you can consider alternative solutions such as using a virtual machine or the Windows Hardware Lab Kit. It is essential to ensure that your driver is digitally signed and meets the security requirements before loading it on your system.
It is possible to load a self-signed driver in Windows 10 without using Test Mode, but it requires some additional steps.
First, you will need to create your own certificate and sign the driver with it. This can be done using the Microsoft Signing Tool (SignTool.exe). Once the driver is signed, you will need to add the certificate to the Trusted Root Certification Authorities store on your machine.
Next, you will need to configure Secure Boot to trust the certificate. If Secure Boot is enabled on your machine, you will need to add the certificate to the Secure Boot database. If Secure Boot is disabled, you will need to disable driver signature enforcement.
It is worth noting that the driver will only be loaded for the current session, and will not persist through reboots. To make the driver persist through reboots, you will need to add it to the Windows Startup folder or configure it to start as a service.
It’s also worth noting that, self-signed drivers are not considered secure, as it can be easily compromised. So it’s not recommended to use self-signed driver for any production systems.
According to Geoff Chappell’s article, the limitation of self-signed drivers only loading until the next Windows restart is due to the reset of a registry value called Licensed, located in HKEY_LOCAL_MACHINE\System\ControlSet001\Control\CI\Protected.
To maintain the loading of a self-signed driver after reboot, this registry value needs to be preserved. This can be achieved by enabling CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners, which is a Windows product policy.
The provided repository contains a method for enabling CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners, allowing the registry value to be persisted and the self-signed driver to be loaded persistently.